CVE-2021-39134: UNIX Symbolic Link (Symlink) Following
(updated )
@npmcli/arborist
, the library that calculates dependency trees and manages the node_modules
folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.
References
Detect and mitigate CVE-2021-39134 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →